analysis of security apis (part i) · guessing a secret via api calls the mastermind game the...

Analysis of Security APIs(part I)

Riccardo Focardi

Universita Ca’ Foscari di Venezia, [email protected]

http://www.dsi.unive.it/~focardi

http://secgroup.ext.dsi.unive.it/

FOSAD 2010Bertinoro, Italy, September 6-11, 2010

FOSAD 2010 () Analysis of Security APIs September 2010, Bertinoro 1 / 42

Security APIs Introduction

Security APIs

Example 1: Hardware Security Module (HSM)

Used in the ATM Bank network

Tamper resistant

Security API for

Managing cryptographic keysDecrypting/re-encrypting the PINChecking the validity of the PIN

Example 2: PKCS#11 API for tokens/smarcards

Example 3: API to a service or on-line game

Outline of the course

Today: PIN processing APIs

Attacks to guess bank PINsBest strategies to break PINsLanguage-based analysis and fixes

Tomorrow: PKCS#11 devices

Attacks to compromise a sensitive keyA formal model of PKCS#11How to secure PKCS#11: a software tokenTookan: Analysis of real tokens

PIN processing APIs The ATM bank network

PIN processing infrastructure

PINPINPIN

Accept

Refuse

{PIN}k1

{PIN}k2

{PIN}k3

{PIN}k4

PINPIN

Accept

Refuse

{PIN}k1

{PIN}k2

{PIN}k3

{PIN}k4

PINPINPIN

Accept

Refuse

{PIN}k1

{PIN}k2

{PIN}k3

{PIN}k4

PINPINPIN

Accept

Refuse

{PIN}k1

{PIN}k2

{PIN}k3

{PIN}k4

Accept

Refuse

{PIN}k1

{PIN}k2

{PIN}k3

{PIN}k4

Hardware Security Module (HSM)

Tamper resistant

Security API for

Managing cryptographic keysDecrypting/re-encrypting the PINChecking the validity of the PIN

PIN processing APIs PIN verification in the HSM

The PIN verification API

Encrypted PIN Block : contains the PIN at the ATM

PIN V( EPB , vdata,len,dectab,offset )

Data for computing the user PIN

Returns the equality of the two PINs

Example: PIN V({4104, r}k ,vdata,4,0123456789012345,4732)

1 deck({4104, r}k) = 4104, r4104

2 encpdk(vdata) = A47295FDE 32A48B10472 ⊕ 4732 mod 10 = 4104

3 The two values coincide: PIN V returns ‘true’

1 deck({4104, r}k) = 4104, r4104

1 deck({4104, r}k) = 4104, r

1 deck({4104, r}k) = 4104, r4104

2 encpdk(vdata) = A47295FDE 32A48B1

0472 ⊕ 4732 mod 10 = 4104

1 deck({4104, r}k) = 4104, r4104

0472 ⊕ 4732 mod 10 = 4104

1 deck({4104, r}k) = 4104, r4104

⊕ 4732 mod 10 = 4104

1 deck({4104, r}k) = 4104, r4104

The code for PIN verification

PIN V(EPB, vdata, len, dectab, offset) {x1 := encpdk(vdata);x2 := left(len, x1 );x3 := decimalize(dectab, x2 );u pin := sum mod10(x3 , offset);

x4 := deck(EPB);t pin := fcheck(x4 );

if (t pin =⊥) then return(′′format wrong ′′);if (t pin = u pin) then return(′′PIN is correct ′′);

else return(′′PIN is wrong ′′)}

PIN processing APIs Attacker model

Secure? Against who ... ?

Security property

Confidentiality: PIN should never be disclosed

Cards can be cloned, user PIN is the only secret

Worst case scenario

the attacker works inside the bank

breaks into the system and have direct access to the HSM

can perform any sequence of API calls

... but no direct access to HSM keys, memory or resources

But, how can we break PIN secrecy by just calling the API?... have you ever played Mastermind?

Security property

Worst case scenario

Security property

Worst case scenario

Guessing a secret via API calls The Mastermind Game

The Mastermind Game

Invented by the Israeli postmaster and telecommunications expertMordecai Meirowitz in 1970;

4 pegs from 6 possible colors, duplicates are allowed.

The codemaker chooses a sequence of 4 pegs, the codebreaker has toguess it

Goal: Minimize the number of guesses

Guessing a secret via API calls The Mastermind Game

The Mastermind ‘API’

The codebreaker ‘calls’

MasterMind(guess)

where ‘guess’ is a sequence of 4 pegs

The return value is a set of 4 markers:red marker: right color and position;white marker: right color and wrong position.

Partial information about the secret sequence ...

Guessing a secret via API calls Playing mastermind on PIN V?

Can we ‘play mastermind’ on this API?

1 deck({4104, r}k) = 4104, r4104

Guessing a secret via API calls The ‘decimalization’ attack on PIN V

The ‘decimalization’ attack on PIN V [Bond, Zielinski ’03]

PIN V({4104, r}k ,vdata,4,0123456789012345,4732)

1 deck({4104, r}k) = 4104, r4104

3 PIN V returns ‘true’

We discover that the first digit is 4 with 2 API calls, being lucky

Has this kind of attack been tried on real bank systems?

How long does it take to discover the whole PIN?

PIN V({4104, r}k ,vdata,4,0123456789012345,4732)

1 deck({4104, r}k) = 4104, r4104

PIN V({4104, r}k ,vdata,4,1123456789112345,4732)

1 deck({4104, r}k) = 4104, r4104

PIN V({4104, r}k ,vdata,4,1123456789112345,4732)

1 deck({4104, r}k) = 4104, r4104

PIN V({4104, r}k ,vdata,4,1123456789112345,4732)

1 deck({4104, r}k) = 4104, r4104

PIN V({4104, r}k ,vdata,4,1123456789112345,4732)

1 deck({4104, r}k) = 4104, r4104

PIN V({4104, r}k ,vdata,4,1123456789112345,4732)

1 deck({4104, r}k) = 4104, r4104

PIN V({4104, r}k ,vdata,4,1123456789112345,4732)

1 deck({4104, r}k) = 4104, r4104

PIN V({4104, r}k ,vdata,4,1123456789112345,4732)

1 deck({4104, r}k) = 4104, r4104

3 PIN V returns ‘false’

PIN V({4104, r}k ,vdata,4,1123456789112345,4732)

1 deck({4104, r}k) = 4104, r4104

PIN V({4104, r}k ,vdata,4,1123456789112345,3732)

1 deck({4104, r}k) = 4104, r4104

PIN V({4104, r}k ,vdata,4,1123456789112345,3732)

1 deck({4104, r}k) = 4104, r4104

PIN V({4104, r}k ,vdata,4,1123456789112345,3732)

1 deck({4104, r}k) = 4104, r4104

PIN V({4104, r}k ,vdata,4,1123456789112345,3732)

1 deck({4104, r}k) = 4104, r4104

PIN V({4104, r}k ,vdata,4,1123456789112345,3732)

1 deck({4104, r}k) = 4104, r4104

PIN V({4104, r}k ,vdata,4,1123456789112345,3732)

1 deck({4104, r}k) = 4104, r4104

PIN V({4104, r}k ,vdata,4,1123456789112345,3732)

1 deck({4104, r}k) = 4104, r4104

PIN V({4104, r}k ,vdata,4,1123456789112345,3732)

1 deck({4104, r}k) = 4104, r4104

Reports suggest something has been going on ...

Verizon Breach Report 2008

“Were seeing entirely new attacks that a year ago were thought to be onlyacademically possible”“What we see now is people going right to the source [..] and stealing theencrypted PIN blocks and using complex ways to un-encrypt the PIN blocks.”

(Quotes from Wired Magazine interview with report author, Bryan Sartin)

Analysis of PIN processing APIs Finding efficient strategies

How many API calls are needed?

For a four digit PIN:

[Bond, Zielinski ’03] Average 16.5 API calls

[Steel, TCS06] Average 16.145 API calls

[Focardi, Luccio, FUN’10] Average 14.47 API calls(as instance of Mastermind)

Lower-bound of 13.362 API calls

Analysis of PIN processing APIs An extended mastermind

The Extended Mastermind Game

Colors: C = {0, 1, . . . ,N − 1}Secret sequence: (c1, c2, . . . , ck), with c1, . . . , ck ∈ CExtended guess: (S1,S2, . . . ,Sk), with S1, . . . ,Sk ⊆ C

Example

6 colors: C = {0, 1, . . . , 5}Secret: (1, 2, 3, 1)

Extended guess: ({1}, {3}, {1}, {1, 3})what’s the answer?

2 red and 1 white markers

Example

6 colors: C = {0, 1, . . . , 5}Secret: (1, 2, 3, 1)

Example

6 colors: C = {0, 1, . . . , 5}Secret: (1, 2, 3, 1)

Red Markers

Definition (Red markers)

The number b of red markers is computed as r = |{i ∈ [1, k] | ci ∈ Si}|.

Example

Secret: (1, 2, 3, 1)

Extended guess: ({1}, {3}, {1}, {1, 3})r = |{i ∈ [1, k] | ci ∈ Si}| = 2

Red Markers

Definition (Red markers)

The number b of red markers is computed as r = |{i ∈ [1, k] | ci ∈ Si}|.

Example

Secret: (1, 2, 3, 1)

Extended guess: ({1}, {3}, {1}, {1, 3})r = |{i ∈ [1, k] | ci ∈ Si}| = 2

White Markers

Secret : (c1, c2, . . . , ck), Extended guess: (S1, S2, . . . ,Sk)

pj = |{i ∈ [1, k] | j = ci}| occurrences of a color j in the secretqj = |{i ∈ [1, k] | j ∈ Si}| occurrences of a color j in the guess

Definition (White markers)

The number w of white markers is computed as w =N∑j=1

min(pj , qj)− r .

Example

Secret (1, 2, 3, 1) and extended guess ({1}, {3}, {1}, {1, 3}):

p1 = |{1, 4}| = 2, q1 = |{1, 3, 4}| = 3,min(p1, q1) = 2

p2 = 1, q2 = 0,min(p2, q2) = 0; p3 = 1, q3 = 2,min(p3, q3) = 1

w =N∑j=1

min(pj , qj)− r = 2 + 0 + 1− 2 = 1

White Markers

Secret : (c1, c2, . . . , ck), Extended guess: (S1, S2, . . . ,Sk)

pj = |{i ∈ [1, k] | j = ci}| occurrences of a color j in the secretqj = |{i ∈ [1, k] | j ∈ Si}| occurrences of a color j in the guess

Definition (White markers)

The number w of white markers is computed as w =N∑j=1

min(pj , qj)− r .

Example

Secret (1, 2, 3, 1) and extended guess ({1}, {3}, {1}, {1, 3}):

p1 = |{1, 4}| = 2, q1 = |{1, 3, 4}| = 3,min(p1, q1) = 2

p2 = 1, q2 = 0,min(p2, q2) = 0; p3 = 1, q3 = 2,min(p3, q3) = 1

w =N∑j=1

min(pj , qj)− r = 2 + 0 + 1− 2 = 1

We can still play Mastermind

Proposition

The Mastermind game is an instance of the Extended game

Proof.

Trivial: just restrict the sets in the estended guesses to singletons.

Analysis of PIN processing APIs PIN cracking by playing Mastermind

Cracking a PIN by playing extended Mastermind

Theorem

PIN cracking is an instance of the Extended Mastermind game

Proof.

Intuition: Restrict to cases in which guesses (S1, S2, . . . ,Sk) minus offsetprovide either equal or disjoint sets.

1 Modify the dectab mapping of all elements of the i-th set from d tod + i (mod 10)

2 Compensate by −i (mod 10) the offset in the corresponding positionsto find out whether those PIN digits are in the set.

The answer is four red markers if and only if PIN verification succeeds.

Example

Example: PIN V({4104, r}k ,vdata,4, 0123456789012345,4732 )

1 deck({4104, r}k) = 4104, r4104

We play: ({4, 5, 6, 7, 8}, {0, 1, 7, 8, 9}, {0, 1}, {2, 3, 4, 5, 6})

Subtract the offset: ({0, 1, 2, 3, 4}, {0, 1, 2, 3, 4}, {7, 8}, {0, 1, 2, 3, 4})Two disjoint sets: {0, 1, 2, 3, 4}, {7, 8}, change the dectab

Compensate the offset

PIN V returns ‘true’ iff PIN digits are in the sets

Example

1 deck({4104, r}k) = 4104, r4104

We play: ({4, 5, 6, 7, 8}, {0, 1, 7, 8, 9}, {0, 1}, {2, 3, 4, 5, 6})Subtract the offset: ({0, 1, 2, 3, 4}, {0, 1, 2, 3, 4}, {7, 8}, {0, 1, 2, 3, 4})Two disjoint sets: {0, 1, 2, 3, 4}, {7, 8}, change the dectab

Example

1 deck({4104, r}k) = 4104, r4104

Example

1 deck({4104, r}k) = 4104, r4104

Example

1 deck({4104, r}k) = 4104, r4104

Example

1 deck({4104, r}k) = 4104, r4104

Example

1 deck({4104, r}k) = 4104, r4104

Example

1 deck({4104, r}k) = 4104, r4104

Example

1 deck({4104, r}k) = 4104, r4104

An algorithm for the Extended Mastermind Problem

Based on [Knuth JRM76]: an algorithm for the solution of the standardMastermind problem (quasi optimal solutions).

1 Tries all the possible guesses. For each guess, computes the numberof ‘surviving’ solutions related to each possible outcome of the guess;

2 Picks the guess from the previous step which minimizes the maximumnumber of surviving solutions among all the possible outcomes andperforms the guess.

Focus on two kinds of guesses:

({0, 1, 2, 3, 4, 5}, {0, 1, 2, 3, 4, 5}, {0, 1, 2, 3, 4, 5}, {0, 1, 2, 3, 4, 5}),the same set repeated: checks if 6,7,8,9 are in the PIN

({1, 3}, {0, 2, 4, 5, 6, 7, 8, 9}, {0, 2, 4, 5, 6, 7, 8, 9}, {1, 3}),one set and its complementary

perform very well and still find a complete strategy

An algorithm for the Extended Mastermind Problem

Based on [Knuth JRM76]: an algorithm for the solution of the standardMastermind problem (quasi optimal solutions).

1 Tries all the possible guesses. For each guess, computes the numberof ‘surviving’ solutions related to each possible outcome of the guess;

2 Picks the guess from the previous step which minimizes the maximumnumber of surviving solutions among all the possible outcomes andperforms the guess.

Focus on two kinds of guesses:

({0, 1, 2, 3, 4, 5}, {0, 1, 2, 3, 4, 5}, {0, 1, 2, 3, 4, 5}, {0, 1, 2, 3, 4, 5}),the same set repeated: checks if 6,7,8,9 are in the PIN

({1, 3}, {0, 2, 4, 5, 6, 7, 8, 9}, {0, 2, 4, 5, 6, 7, 8, 9}, {1, 3}),one set and its complementary

perform very well and still find a complete strategy

Summary of results for PIN cracking

Four digit PINs

[Focardi, Luccio, FUN’10] Average 14.47 API callswith the previous algorithm in Python on this laptop ≈ 18 seconds

Five digit PINs

[Focardi, Luccio, FUN’10] Average 19.3 API calls ≈ 18 minutes

Lower bounds

The lower bounds for 4 and 5 digit PINs are 13.362 and 16.689, forthe average case

Four digit PINs

Five digit PINs

Lower bounds

Four digit PINs

Five digit PINs

Lower bounds

Analysis of PIN processing APIs How to fix the API

The ‘lunch-break’ attack

A realistic scenario

gaining access to the HSM and intercepting incoming data an insidermight disclose thousands of PINs in a lunch-break!

How to prevent the attack?

low-impact CVV-based fix [Focardi, Luccio, Steel, NORDSEC’09]

mitigates the attack (50000 times slower)

point-to-point MAC-based fix and type-based proof of security[Centenaro, Focardi, Luccio, Steel, ESORICS’09]

prevents the attack but requires modifying each HSM

efficient HSM upgrading strategies[Focardi, Luccio, ARSPA-WITS’10]

securing subnetworks while keeping service up

The ‘lunch-break’ attack

A realistic scenario

gaining access to the HSM and intercepting incoming data an insidermight disclose thousands of PINs in a lunch-break!

How to prevent the attack?

mitigates the attack (50000 times slower)

point-to-point MAC-based fix and type-based proof of security[Centenaro, Focardi, Luccio, Steel, ESORICS’09]

prevents the attack but requires modifying each HSM

efficient HSM upgrading strategies[Focardi, Luccio, ARSPA-WITS’10]

securing subnetworks while keeping service up

What kind of attack?

no cryptoanalysis and no broken protocols

Information-flow: variations on the input produce unintendedinformation leakage

Information flow Noninterference

Absence of information leakage [Goguen, Meseguer’82]

Noninterference

High behaviour is notobservable by the Low attacker

Noninterference

Noninterference is too much

PIN V({ 4104 , r}k ,vdata, 4, 0123456789012345, 4732)

PIN V intentionally ‘leaks’the correctness of the PIN

PIN correctness isdeclassified

PIN V({ 5832 , r}k ,vdata, 4, 0123456789012345, 4732)

Information flow Robustness

Robust declassification [Myers, Sabelfeld, Zdancewic ’06]

Robustness

Declassification is independent ofthe attacker behaviour

the attacker cannot cause torelease more informationthan intended

Robustness

PIN V is not robust!

PIN V({ 4104 , r}k ,vdata, 4, 0123456789012345 , 4732)

the insider tries adecimalization attack

PIN V now fails in bothcases

the attacker hasinfluenced declassification

PIN V({ 5832 , r}k ,vdata, 4, 0123456789012345 , 4732)

PIN V({ 5832 , r}k ,vdata, 4, 1123456789112345 , 4732)

PIN V({ 4104 , r}k ,vdata, 4, 1123456789112345 , 4732)

The code for PIN verification, what is wrong ... ?

PIN V(EPB, vdata, len, dectab, offset) {x1 := encpdk(vdata);x2 := left(len, x1 );x3 := decimalize(dectab, x2 );u pin := sum mod10(x3 , offset);

x4 := deck(EPB);t pin := fcheck(x4 );

if (t pin =⊥) then return(′′format wrong ′′);if (t pin = u pin) then return(′′PIN is correct ′′);

else return(′′PIN is wrong ′′)}

How to be robust?

declassify high-integrity data in high-integrity program points

declassify(xH = yH);

declassify(xH = zL);

if zL declassify(xH);

user PIN u pin is computed from low-integrity data

PIN V( {t pin, r}k , vdata,len,dectab,offset )

declassify(t pin = u pin)

How to be robust?

Fixing the API A MAC-based solution

Fixing PIN V

add a Message Authentication Code

m = 〈 {t pin, r}k , vdata,len,dectab,offset 〉j

PIN V+( {t pin, r}k , vdata,len,dectab,offset, m ) {

if macj( {t pin, r}k , vdata,len,dectab,offset ) = m. . . old PIN V code . . .

elseFAIL

MAC guarantees that data come from a specific user

Fixing the API Integrity w.r.t. a representative

Integrity representatives

MAC creation has to be regulated

with these three MACs the attacker can get the first PIN digit

〈 {4104, r}k , vdata, 4, 0123456789012345, 4732 〉j〈 {4104, r}k , vdata, 4, 1123456789112345, 4732 〉j〈 {4104, r}k , vdata, 4, 1123456789112345, 3732 〉j

vdata is the integrity representative: len, dectab, offset and the PINare ‘determined’ by vdata

More precisely, in the two MACs

〈{pin1, r1}k , vdata , len1, dectab1, offset1〉j〈{pin2, r2}k , vdata , len2, dectab2, offset2〉j

we require len1=len2, dectab1=dectab2, offset1=offset2, pin1=pin2

... still not robust!

user 1 has inserted the correct PIN:

PIN V+(EPB1, vdata1, len1, dectab1, offset1, m1) → true

user 2 has typed a wrong PIN:

PIN V+(EPB2, vdata2, len2, dectab2, offset2, m2) → false

the attacker affects declassification by calling PIN V+with data fromcompletely different users

... he only gets the expected outputs

disallow changes to vdata

Fixing the API Robustness, intuitively

PIN V+is robust, for each user

PIN V+( {pin, r}k , vdata, len, dectab, offset,〈 {pin, r}k , vdata, len, dectab, offset 〉j )

1 vdata cannot be manipulated (focus on one user)

2 vdata in the MAC must correspond

3 pin, len, dectab and offset in the MAC are determined

4 ... and must correspond to the ones outside

Note: The only possible change is in the random padding r

⇒ PIN V+result cannot be influenced by the attacker

⇒ PIN V+is robust

vdata : [VDATA] , dectab : [DTAB←↩VDATA]

⇒ PIN V+is robust

Fixing the API Confidentiality via cryptography

The ISO0 PIN block format

encrypting a secret produces a low-confidentiality ciphertext

Noninterference: changes to the secret plaintexts should beunobservable

not true in general: {1234}k = {1234}k

randomization helps: {1234, r}k 6= {1234, r ′}k

ISO0 uses (a part of) vdata: {1234, vdata}k

for different users with the same PIN, vdata is like randomization{1234, vdata}k 6= {1234, vdata′}kfor one user the PIN is determined by vdata

⇒ noninterference holds

not true in general: {1234}k = {1234}k{1234}k 6= {5678}k

randomization helps: {1234, r}k 6= {1234, r ′}k{1234, r}k 6= {5678, r ′}k

ISO0 uses (a part of) vdata: {1234, vdata}kfor different users with the same PIN, vdata is like randomization{1234, vdata}k 6= {1234, vdata′}kfor one user the PIN is determined by vdata

Fixing the API Summary

Summary: fixing PIN management APIs

robustness in a non-randomized cryptographic setting: existing PINprocessing APIs are not robust

a MAC-based fix of PIN V (and PIN T in the paper)

integrity w.r.t. a representative, e.g., dectab : [DTAB←↩VDATA]

a type system to type-check APIs

Theorem

1 Γ ` P then P is robust

2 if P does not declassify data, then P satisfiesnoninterference, too

More detail in [Centenaro, Focardi, Luccio, Steel, ESORICS’09]

Analysis of PIN processing APIs Conclusion

Conlusion

X API-level attacks to guess bank PINs(much more can be found in [Bond, Zielinski ’03, Clulow ’03])

X How to become rich by playing Mastermind:almost-optimal strategies to break PINs [Focardi, Luccio, FUN’10]

X Language-based analysis and fixes[Centenaro, Focardi, Luccio, Steel, ESORICS’09,Focardi, Luccio, Steel, NORDSEC’09]

Tomorrow we will see why some smarcard and crypto-tokens can beeasily cloned

Conlusion

X API-level attacks to guess bank PINs(much more can be found in [Bond, Zielinski ’03, Clulow ’03])

X How to become rich by playing Mastermind:almost-optimal strategies to break PINs [Focardi, Luccio, FUN’10]

X Language-based analysis and fixes[Centenaro, Focardi, Luccio, Steel, ESORICS’09,Focardi, Luccio, Steel, NORDSEC’09]

Tomorrow we will see why some smarcard and crypto-tokens can beeasily cloned

References

M. Bond and P. Zielinski.Decimalization table attacks for PIN cracking.UCAM-CL-TR-560, Univ. Cambridge, Computer Lab., 2003.

M. Centenaro, R. Focardi, F.L. Luccio, G. Steel.Type-Based Analysis of PIN Processing APIsIn proceedings of ESORICS’09, September 2009.

J. Clulow.The design and analysis of cryptographic APIs for security devices.Master’s thesis, University of Natal, Durban, 2003.

R. Focardi, F.L. Luccio,Cracking bank pins by playing mastermind.In Proceedings of FUN’10, June 2010.

R. Focardi, F.L. Luccio, G. Steel.Blunting Differential Attacks on PIN Processing APIsIn proceedings of NORDSEC’09, Obtober 2009.

References

R. Focardi, F.L. Luccio.Secure upgrade of hardware security modules in bank networksARSPA-WITS10 Paphos, Cyprus March 27-28, 2010.

IBM Inc.CCA Basic Services Reference and Guide for the IBM 4758 PCITechnical report, 2006. Rel. 2.53–3.27.

A. Myers, A. Sabelfeld, and S. Zdancewic.Enforcing robust declassification and qualified robustness.Journal of Computer Security, 14(2):157–196, May 2006.

G. Steel.Formal Analysis of PIN Block AttacksTheoretical Computer Science, 367, 1-2, pages 257-270, November 2006.

D. Knuth,The Computer as a Master Mind,Journal of Recreational Mathematics, 9, pages 1-6, 1976.

analysis of security apis (part i) · guessing a secret via api calls the mastermind game the...

Documents